CloudBees Security Advisory 2020-05-26
This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.
Open Redirect vulnerability in Authentication Mechanism in SSO
As part of the SSO process, the CloudBees Jenkins Operations Center (CJOC) redirects the user to the Master URL to finish the SSO process. The Master was vulnerable to Host Header injection, leading to an Open Redirect vulnerability which may allow an attacker to steal a victim's SSO session.
This issue is due to an incomplete fix of CTR-1098, announced in 2020-03-09 and wrongly called "CSRF in Authentication Mechanism in SSO". The vulnerability was not CSRF, but Open Redirect.
Masters now only support SSO requests from Hosts (or X-Forwarded-Host) matching the configured Jenkins Root URL. Any attempt to use a different URL will redirect to the configured Jenkins Root URL.
This can be disabled in the Operations Center by setting the property `com.cloudbees.opscenter.server.sso.SSOConfiguration.masterRootURLStrictCheckingDisabled=true`, but will make the product insecure, so it should only be used as a temporary workaround.
CloudBees Traditional Platforms should be upgraded 184.108.40.206
CloudBees Cloud Platforms should be upgraded 220.127.116.11
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 18.104.22.168
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 22.214.171.124
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 126.96.36.199.2 rev3